In our case, we found an obsolete connection from a cloud service, which was not used anymore.Īctive Directory (AD) domain controllers usually are the most important on-prem resources we want to connect to a SIEM system. If logons from suspicious locations were shown then, we knew that this has to be analyzed as this could be a malicious actor trying to log in. If it gets connected with Sentinel, one of the most valuable outcomes is the workbook, that shows locations, device types, applications that are authenticating to Azure AD, and other useful information. However, it is possible to filter the data by any other activity and get more detailed results instantly.Īzure AD is another cloud resource. The following chart shows results for activities like the addition of mailbox permissions, mailbox creation, DLP rule matching, and sending emails on behalf of other users. Once the Office 365 connector is enabled, we immediately got the workbook showing the overview of all activities in Exchange Online. Insights from the Exchange Online activities were important for us, as we wanted to see additional permissions being granted to mailboxes ( which mailboxes have been affected and who has added the permissions). All you need to do is to find the connector page and enable the connector. The good news is that you don’t have to pay anything until you ingest data.įor us and everybody else, this means that we can start using Sentinel without any investments and if ( for somewhat reason) Sentinel does not meet our expectations, it is possible to delete the workspace and stop paying for the solution right away.Ĭonnecting some cloud resources like Office 365 is really easy if you do have the necessary permissions ( read/write permissions to Sentinel workspace and Global Administrator or Security Administrator in Azure AD tenant). Yes, some planning needs to be done before deploying Azure Sentinel workspace, but Sentinel is just a few clicks away afterward. This means that you don’t have to go through lengthy planning, installation, or hardware acquirement processes. Start using Azure Sentinel without investmentsīy now you already know that Azure Sentinel is a cloud-native SIEM/SOAR solution. In this article, you'll learn about instant benefits you can get from implementing SIEM & SOAR solution Azure Sentinel and why that’s important.ġ. If you're new here, here's the first one: How and why we chose Azure Sentinel. Hello again, this is the second part of our Azure Sentinel blog series about our journey towards more secure and modern SecOps.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |